eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/containers/prowler/Dockerfile
Erich Blume 7c1cd11e45
All checks were successful
Build Container / detect (push) Successful in 3s
Details
Build Container / build-dagger (prowler) (push) Successful in 36s
Details
Upgrade Prowler to 5.23.0, remove registry workaround (#336) 
## Summary

- Upgrade Prowler from 5.22.0 to 5.23.0
- Remove the `enumerate-images` init container workaround from `cronjob-image-scan.yaml`
- Use native `--registry` and `--image-filter` flags now that upstream fix (PR prowler-cloud/prowler#10470) is released

The init container was a workaround for prowler-cloud/prowler#10457 where `--registry` args weren't forwarded to the provider constructor. We wrote the fix, it was merged, and v5.23.0 includes it.

## Test plan

- [ ] Build new container (`mise run container-release prowler 5.23.0`)
- [ ] Update kustomization.yaml with new image tag
- [ ] Sync prowler ArgoCD app from branch
- [ ] Manually trigger image scan job and verify `--registry` works natively
- [ ] Verify CIS and IaC scan cronjobs still work

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #336
2026-04-14 13:45:28 -07:00

63 lines
2.2 KiB
Docker
Raw Blame History

# Prowler CIS scanner — slim build for Kubernetes, image, and IaC providers
# Strips PowerShell (M365) and dashboard dependencies from upstream
# Includes Trivy for image vulnerability and IaC scanning
ARG CONTAINER_APP_VERSION=5.23.0
FROM python:3.12-slim-bookworm AS build
ARG CONTAINER_APP_VERSION
RUN apt-get update && apt-get install -y --no-install-recommends \
git ca-certificates \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /build
RUN git clone --depth 1 --branch ${CONTAINER_APP_VERSION} \
https://forge.ops.eblu.me/mirrors/prowler.git .
# Install prowler into a virtualenv so we can copy it cleanly
RUN python -m venv /opt/prowler \
&& /opt/prowler/bin/pip install --no-cache-dir --upgrade pip \
&& /opt/prowler/bin/pip install --no-cache-dir .
# ---
FROM python:3.12-slim-bookworm
ARG CONTAINER_APP_VERSION
LABEL org.opencontainers.image.title="prowler"
LABEL org.opencontainers.image.version="${CONTAINER_APP_VERSION}"
LABEL org.opencontainers.image.source="https://forge.eblu.me/eblume/blumeops"
LABEL org.opencontainers.image.vendor="blumeops"
LABEL org.opencontainers.image.description="Prowler scanner (Kubernetes, image, IaC providers)"
ARG TRIVY_VERSION=0.69.2
RUN ARCH=$(dpkg --print-architecture) \
&& case "$ARCH" in \
amd64) TRIVY_ARCH="Linux-64bit" ;; \
arm64) TRIVY_ARCH="Linux-ARM64" ;; \
*) echo "Unsupported architecture: $ARCH" && exit 1 ;; \
esac \
&& apt-get update && apt-get install -y --no-install-recommends wget ca-certificates \
&& wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${TRIVY_ARCH}.tar.gz" -O /tmp/trivy.tar.gz \
&& tar xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy \
&& chmod +x /usr/local/bin/trivy \
&& rm /tmp/trivy.tar.gz \
&& apt-get purge -y wget && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*
RUN addgroup --gid 1000 prowler \
&& adduser --uid 1000 --gid 1000 --disabled-password --gecos "" prowler \
&& mkdir -p /tmp/.cache/trivy && chown prowler:prowler /tmp/.cache/trivy
COPY --from=build /opt/prowler /opt/prowler
ENV PATH="/opt/prowler/bin:${PATH}"
ENV TRIVY_CACHE_DIR="/tmp/.cache/trivy"
USER prowler
WORKDIR /home/prowler
ENTRYPOINT ["prowler"]
Reference in a new issue View git blame Copy permalink